Hack me, if you can: why do firms put themselves “on a hit list”

Хакни мене, якщо зможеш: навіщо компанії себе «замовляють» Хакни меня, если сможешь: зачем компании себя «заказывают» Hack me, if you can: why do firms put themselves “on a hit list”

Penetrations, data thefts, cyberattacks – this is what springs to mind when we think about hackers, but legit firms use their services.

Mass media gave new negative meaning to the word “hacker”. Penetrations, data thefts, cyberattacks – this is what springs to mind when we think about present-day hackers. But in sober fact, hackers are security experts who are looking for vulnerabilities. Fairly law-abiding companies use to employ them to discover the vulnerabilities in their systems and to test the “soundness” of their products. For the average person to distinguish this type of hackers from “malicious” hackers, they started to be called “white hats”, or “ethical hackers”.

How do “ethical” hackers work

“They are ethical in broad terms, they are dealing with systems analysis and finding the ways to use it aside from how it was planned by the developers,” – Volodymyr Styran, co-founder at Berezha Security and “ethical hacker” said. Ethical hacker is a profession. These are people, who hack systems not to rob their owners, but to show them the vulnerabilities in these systems and to help them to correct the weaknesses and failings.

This is usually done with the explicit authorization of the system owner. “In other words, top officials of the company sign and seal relevant document, which will be then used to perform so-called penetration testing or something like this,” – Mr. Styran said.

There are companies and platforms specializing in legal hacking. For instance, Ukrainian project HackenProof, where 50 developers residing in Kyiv work. Its headquarter is located in Tallinn (Estonia). HackenProof is the platform that works on the same principle as a crowdsourcing does, i.e. hackers from various countries are connected to it. Interkassa Ukrainian payment service and Tickets.ua ticket sales service are among the customers of HackenProof. HackerOne with its headquarter in San Francisco and offices in the Netherlands and London is one of world’s largest hacking platforms

“So, as you will have realized, this is not “unauthorized access” and “hacking”, as it is described in mass culture, but quite standardized and routine procedures, much-in-demand for major companies having large-scale IT-infrastructure. After all, as you might know, the more complex the system is, the higher the risk of errors and failures,” – Vladimir Kurg, R&D Director at IT-Integrator, said.

Penetration testing is the simplest service that may be rendered. In the experience of Mr. Kurg, penetration testing gained instant popularity as far back as in late 1990s. Currently pentests are supplemented by penetrating from networks of partners and counterparts. There is also a set of separate tasks with specific characteristics: assessment of “internal” vulnerabilities as both in relation to insiders – malicious users of the company working in its local networks, and predisposition of loyal users to social engineering methods.

“Classical testing services as to outside penetration are in demand and market of such services is rather mature, but, as far as I know, demand for internal vulnerabilities is low. It is likely that this happens due to the fact that procedures and methods of the first case are purely technical, while the human factor of the second case plays an essential role,” – Mr. Kurg said.

How much hackers get paid

The resource audit that is served as the basis for penetration testing results and recommendations provision costs $500 and up. When recommendations are implemented, secondary audit is usually performed. When it comes to hardware products auditing, the cost of penetration may be dozens and hundreds times higher.

“Penetration tests is a simple and mainstream solution. However, penetration into well-secured systems by “white hats” is up-market solution that costs a fortune. Corporations like Facebook pay huge amount of money to find vulnerabilities,” – Andrey Yavorsky, VP Engineering at GlobalLogic, explained.

Most of the companies, including Ukrainian ones, have Bug Bounty programs – when independent hackers are rewarded for vulnerabilities finding. In November 2017, Kyivstar telecoms operator has launched such program at Bugcrowd platform in closed mode. On March 13, 2018 telecoms operator has officially invited all wishing to participate in it. Reward paid for one vulnerability found may be up to $3,000. The average amount paid for the last three months was $ 450.

“The need for in-depth testing is inexhaustible, since every single month the company makes releases of updated versions of existing products or launches new products,” – the press service of Kyivstar reported. Digital experts of the company said that the satisfied with the results delivered by Bug Bounty. On March 27 public testing was over, and by that time some 300 messages were received, inclusive of dublicative messages. Now they are being examined by the technical teams, some bugs are already fixed.

More than 150 researchers all over the world took part in this program since the moment of its launch. This is preliminary data, more detailed information will be provided upon the analysis of two-week public program.

Ukraine’s largest bank, has also boasted of the results of similar work: Privatbank that is currently rendering services to 18 million customers is working with Bug Bounty program since 2012. In 2017 it has paid a reward amounting to UAH 512,000 ($19,266) for the penetration into its digital services. A total of 127 “white hats” were awarded. On this March Privatbank has introduced special website for bughunters, through which they may receive money for the vulnerabilities found -– up to $ 1,000 per each.

In the case of Privatbank, most of vulnerabilities related to PrivatMarket marketplace rather than to banking services. One of such vulnerabilities is potential opportunity for the sellers to change the price while selling the goods. Moreover, bank has fixed the bug as to unauthorized editing of seller’s store webpage. “It is getting more difficult to find vulnerabilities in the most popular banking services, such as Privat24, but we are ready to keep on paying real money for each message confirmed,” – Vyacheslav Nekhoroshikh, Head of Information Security at Privatbank, said.


Services rendered by hackers are currently ordered not by major companies only, but by startups as well. Hideez is one of them. It is developing universal “key to all passwords” – gadget that disburden person of the need to keep in mind all his passwords and enter them every time. Device is already being sold in stores, in Ukraine as well. Moreover, Hideez has a software solution – application with similar functionalities.

“Any company that develop IT-solutions, IoT (solutions in the field of “Internet of things” – Editor’s note) for agricultural industry, security or for any other industry, – all they are exposed to penetrations, attacks, loss of user data. On a good note, all companies shall be  audited for vulnerabilities,” – Oleg Naumenko, CEO and co-founder at Hideez, said.

Startup has passed its first private testing prior to the launch of sales and has fixed its vulnerabilities. In mid-March 2018 the team of Hideez has visited Troopers information security conference of Germany, where they were offered to “hack” their product. This was actually Bug Bounty public program with prize fund. Hackers from HackenProof are currently “hacking” Hideez

According Oleg Naumenko, it is much better to find the vulnerability by yourself and to prevent possible hackings prior to the damage that may be caused to data about customers. “Even through the lens of economics, it is cheaper than to compensate for losses incurred to the customers,” – reported he to Innovation House. It is of prime importance for the startup dealing with security field, since during the Bug Bounty public program you may get market feedback. This boosts the level of trust to the product.

However, Vladimir Kurg said that one-shot events as to vulnerability assessment of systems and security arrangements, are insufficient and quoted American cryptographer “Security is a process, not a product.”